Meeting minutes
Agenda
McCool: look at features at risk
… and see what is still missing around security
Minutes
McCool: no minutes for Apr 17
McCool: (goes through the minutes)
… any comments?
… just one typo around "access to trust environment" to be fixed as "access to trusted environment"
Luca: not for the minutes themselves, but we should think about a dedicated secure network
McCool: ok
… let's finalize the minutes themselves
(approved)
Dedicated network for guests
WoT Architecture ED - 10.4 Trusted Environment Risks
For example, in the home environment, a separate WiFi network can be used for IoT devices, and routers often provide a "guest" network that can be used for this purpose. In commercial and industrial environments, explicit installation of pre-shared keys SHOULD be used to allow browsers to access local services while using TLS.
McCool: let's create an issue for WoT Architecture
wot-architecture Issue 908 - Correct statement about "guest" networks
<McCool> w3c/
Kaz: for the next Charter, we need to look into various use case scenarios including potential devices from the other SDOs' standards too
Remaining at-risk items
Summary from the latest Testfest
Architecture
McCool: for Architecture
high priority: (1) arch-security-consideration-use-psk (2) arch-security-consideration-dtls-1-3 and low priority: (1) arch-security-consideration-hal-refuse-unsafe
Thing Description
McCool: for Thing Description
low priority: (2) td-security-oauth2-device-flow (2) (1) security-server-auth-td (2) security-context-secure-fetch (1) security-remote-context (1) privacy-immutable-id-as-property
McCool: any concern about them?
… how about "td-security-oauth2-device-flow"?
Luca: somebody may use Bluethooth, etc., with wifi connection
… similar scenarios are possible
McCool: actually, it's a bit odd not to have implementation for this
… maybe we've been overlooking something...
… let me check again
Kaz: btw, what do the numbers with palens mean, e.g., "(2)"?
McCool: number of missing implementations
Kaz: ok
… so the "(2)" at the bottom of "(2) td-security-oauth2-device-flow (2)" is extra
McCool: right
(McCool tries to check the data again, but need some more time)
McCool: "security-server-auth-td"
… we should have implementations and also this is an easy feature
… so would make this high priority
(no objections)
McCool: would suggest we make the following three features "medium priority"
(1) security-server-auth-td resolution pending (1) security-remote-context Intel - wot-ha already resolves - resolution pending (1) privacy-immutable-id-as-property Intel to do
(no objections)
Discovery
McCool: (goes through the remaining features at-risk)
Kaz: how to handle the high/medium priority features?
McCool: those are not about security
… so let's talk about lower priority features now
Lower Priority These have one implementation but are in security considerations and can be converted into "guidelines", so are a lower priority. (1) sec-tdd-query-watchdog (1) sec-tdd-intro-no-multicast These have two but are also in security/privacy considerations and can be converted into "guidelines", so are also lower priority: (2) sec-tdd-throttle-queries (2) sec-tdd-limit-query-complexity (2) sec-tdd-intro-limit-response-size (2) sec-tdd-intro-throttling (1) sec-self-proxy
McCool: (goes through the above lower priority features)
… any opinions to make them higher priority?
(none)
McCool: then privacy features
(2) priv-loc-disable-public-directories (2) priv-loc-anonymous-tds (2) priv-loc-gen-ids (2) priv-loc-explicit-strip (2) priv-query-anon
McCool: most of them will become informative
… any objections to keep them as low priority?
(no objections)
McCool: then OAuth2 flows next
(2) exploration-secboot-oauth2-flows
McCool: we don't have sufficient implementations for that
… would have some discussion about this during the Discovery call later
Issues
McCool: (puts remaining GitHub issues to the agenda for the next call)
… please go through the issues for the discussion next week
… we're making decision for PR transition this week
[adjourned]